Nonprofit Security Grant Program

Vulnerability Assessment Worksheet

FY 2016

The NSGP FY2016 Notice of Funding Opportunity requires the submission of a Vulnerability Assessment as part of the application package. Assessments should cover such general areas as threats, vulnerabilities and mitigation options, consequences, perimeter, lighting, and physical protection, etc., as contained in the VA Worksheet.

This VA Worksheet (including Annex 1) must be completed as a record of the vulnerability assessment, and returned with your grant application.

Section 1 - Name of each Assessor Signature of the Assessor Date the and professional credentials Assessment was (CPP, PSP, TLO, military or other conducted security credentials)

Section 2 - Nonprofit Applicant General Information Nonprofit Asset Name(s): Address(s): (US Postal Address) City: County: Zip Code: Business Phone Number: 501(c)(3) Number: Dun and Bradstreet Number: GPS Latitude: (Use Google Earth or Bing to get the latitude and

Nonprofit Security Grant Program … Page - 1 3 March 2016 longitude coordinates for the center of the nonprofit site.) GPS Longitude: Local Law Enforcement First Responder: (Name & Address) Local Fire Department First Responder: (Name & Address) Attach an aerial photo of the nonprofit site that clearly shows the property line and all structures. (Use Google Earth or Bing to create an aerial photograph of the nonprofit site.)

Section 3 – Nonprofit Applicant Background Information (The data from this section should be used by the applicant to complete the Investment Justification (IJ) template, part II. Background.) Membership Size: (Include school populations and initiatives.) Community Served: (Limit the information to the specific cities and counties served.) Onsite Facilities: (Include schools, libraries, event centers, cultural centers, medical center, and worship centers.) Outreach programs: (Youth, homeless, community, and missionary programs.) Historical Artifact Preservation: (Historical artifacts present onsite that could be a target of a terrorist.) Regional, National, or Historical Symbolism: (Limit the information to symbolism that relates directly to the nonprofit site that could attract terrorism.) Section 4 – Nonprofit Applicant Background Information from Previous Grant Applications

How much federal and state security grant funding was received in the past by the nonprofit organization? (List previous grants for 5 years.) What was purchased with past federal and state funding? (List type(s) of equipment and year of purchase.)

Section 5 – Nonprofit Mission Statement (Each applicant is required to include a copy of their mission statement with the investment justification. Understanding the mission of a site in an important part of a vulnerability assessment. Include the Nonprofit Security Grant Program … Page - 2 3 March 2016 mission statement of the nonprofit organization below Mission Statement:

Section 6 – Nonprofit Risk Identification and Prioritization (This section should be used by the applicant to complete the Investment Justification template, part III. Risk.)

Risk is defined as the product of three principal variables: Threat, Vulnerability and Consequence. 1 A well conducted vulnerability assessment should analyze each risk variable.

Threat Assessment:

When possible, the vulnerability assessor(s) for the grant should coordinate with local law enforcement, the regional fusion center, and/or Urban Area Security Initiative (UASI) representatives to get a clear picture of the current threats from terrorism to the nonprofit organization members and site.

For the purpose of the grant, terrorism is defined as human-caused threats against persons or property to achieve political or social objectives.2

6A – In the space provided below write a general threat assessment for the nonprofit site. This section may include non-terrorism related incidents at the nonprofit site, threats that pertain to the function, type, or membership of the non-profit, and information from previous risk assessments, police reports, insurance claims, and discussions with regional fusion centers.

6B- List and prioritize any acts of terrorism against persons or property directed at the nonprofit site that were initiated to achieve political or social objectives during the last 5 years. Attach any photos, news articles or police reports that validate the incidents. Incidents Priority of Impact to the nonprofit site 1. 2. 3. 4. (Note: Prioritize the acts of terrorism from 1-10. 10 being highest priority and 1 the lowest priority) (Add more lines to 6B if needed.)

1 - Risk Management Series, Handbook for Rapid Visual, Screening of Buildings to Evaluate Terrorism Risks FEMA 455 / March 2009, Performing A Rapid Visual Screening, Understanding the Risk Scoring Procedure, p-8

2 - https://www.dhs.gov/strategic-national-risk-assessment-snra, Last viewed on Feb 23, 2016

Nonprofit Security Grant Program … Page - 3 3 March 2016 Vulnerability Assessment:

The assessor should focus on identifying vulnerabilities that could be exploited by acts of terrorism at the nonprofit site. Also, the assessor should provide mitigation option and potential consequences for any act of terror listed in Section 6B or incidents discussed in the Section 6A, above.

Section 6C will be used by the assessor to list and prioritize the vulnerabilities that are determined to have a negative impact on the nonprofit site. This section is designed to help the applicant identify vulnerabilities, consider potential consequences and select target hardening (mitigation) options to complete the investment justification. Not all vulnerabilities identified during the assessment are critical to the operation of the nonprofit site and may not be listed in Section 6C.

Mitigation options and consequences must be listed with the vulnerabilities in the Section 6C. The vulnerability in Section 6C should be cross referenced with incidents described in section 6A & 6B. Section 6C may be used to validate requests for specific equipment in the current application for grant.

The nonprofit vulnerability assessment worksheet template, shown in Annex 1, should be used by the assessor when conducting the onsite assessment. This data will provide the background information for the applicant to complete the investment justification template. It will also provide historical data for the grant application review process.

6C – List and prioritize the vulnerabilities that could be exploited through acts of terrorism/threats directed at the nonprofit site/organization. Also, provide a mitigation option and potential consequences for the vulnerabilities. This data will assist the grant applicant to identify the vulnerabilities; consider target hardening options and consequences to complete the investment justification. List in descending order of priority the site's vulnerabilities, mitigation options and potential consequences.

Mitigation Options should describe and include an Authorized Equipment List number (Sections 14 & 15 Only) for any equipment that will be requested for purchase as part of the grant application. 1 - Vulnerability:

Mitigation Options: (Target Hardening) (If applicable - AEL Sections 14 & 15 Only):

Potential Consequences:(specifically to the site or organization)

2 - Vulnerability:

Mitigation Options: (Target hardening) (If applicable - AEL Sections 14 & 15 Only):

Potential Consequences: (specifically to the site or organization)

3 - Vulnerability:

Nonprofit Security Grant Program … Page - 4 3 March 2016 Mitigation options: (target hardening) (If applicable - AEL Sections 14 & 15 Only):

Potential Consequences: (specifically to the site or organization)

4 - Vulnerability:

Mitigation options: (target hardening) (If applicable - AEL Sections 14 & 15 Only):

Potential Consequences: (specifically to the site or organization)

5 - Vulnerability:

Mitigation options: (target hardening) (If applicable - AEL Sections 14 & 15 Only):

Potential Consequences: (specifically to the site or organization)

6 - Vulnerability:

Mitigation options: (target hardening) (If applicable - AEL Sections 14 & 15 Only):

Potential Consequences: (specifically to the site or organization)

(Add additional vulnerability sections if needed.)

Nonprofit Security Grant Program … Page - 5 3 March 2016 Annex 1: Nonprofit Onsite Vulnerability Assessment (VA) Template

This VA template is provided to assist assessors and applicants collect security related data on the nonprofit organization and site. Please complete and return this Annex with your grant application. Submitted vulnerability assessments should cover the same general areas such as threats, vulnerabilities and mitigation options, consequences, perimeter, lighting, and physical protection, etc.

Assessors and applicants should collectively discuss these security related questions during the assessment phase of the VA. This inclusive approach will help the applicant complete the grant application and help the nonprofit organization become more aware of the risks to the site and members.

Nonprofit Onsite Vulnerability Assessment Template (Provide a written response or map for each question.) Nonprofit Site - Perimeter Assessment Attach an aerial map showing the perimeter and layout around the site. (Describe or attach an aerial map.) Describe the condition and materials that makeup the fence line. (Describe or attach photos.) Is there a perimeter fence or other type of barrier in place around the entire site? (If not, explain.) What are the access points to the site or buildings? (Describe or attach a map.) Does security screening cover all public and private areas? (If not, explain.) Is roof access limited to authorized personnel by means of a locking mechanism? (If not, explain.) Is vehicle traffic entering the site separated from pedestrian traffic? (If not, how is it managed?) Is there vehicle and pedestrian access control at the perimeter of the site? (If not, explain how it is managed.) Are there known deficiencies in the security perimeter? Are they being corrected? What is the status?

Nonprofit Site - Lighting Are all critical areas identified in this vulnerability assessment covered by lights? (If not, explain.) Is the lighting adequate from a security perspective in roadway access and parking areas? (If not, explain.)

Nonprofit Security Grant Program … Page - 6 3 March 2016 What types of lighting are used in the parking area light fixtures? (Explain) Are doorways illuminated for security and safety? (If not, explain.) Are pathways around the site illuminated to assist with movement and safety? (If not explain.) Do the lights assist the CCTV system to detect, recognize and identify activities around the site? (If not, explain.)

Nonprofit Site - Physical Protection Does the physical protection system integrate the lights, cameras, fire alarms, and other sensors into a manageable security system? (If not, explain.) Is there backup power for the security system in the event of a power failure? (If not, explain.) Is there a maintenance plan for the backup power? How often is it tested? (If not, explain.) Are there periodic training and exercising of the alarm protocols and sensors? (If not, explain.) Does the facility use a security company as part of the physical protection system? (If so, explain.) Is security awareness training provided to all employees, volunteers and members? (If not, explain.) Are background checks made on all new employees, and are security personnel re- investigated yearly? (If not, explain.)

Nonprofit Site - Intrusion Detection/CCTV System Does the site have an exterior intrusion detection system? (If not, explain.) If so, does the intrusion detection system provide specific coverage of critical assets? Does the site have a CCTV system in place? If so, how many cameras does it have? Are all significant facility assets under CCTV coverage? (If not, explain.) Is there security control center for the CCTV or IDS systems? On site? Off site? (If not, explain how the physical protection system is monitored.) Who has access to the security control center, and security incident tracking software? (Explain.)

Nonprofit Security Grant Program … Page - 7 3 March 2016 Are there contingency plans for security control center redundancy or back-up? (If not, explain.) Describe the CCTV/camera system: (i.e., analogue, digital, fixed, zoom, color, housing, etc.) Are the cameras programmed to respond to alarms, motion, etc.? (If not, explain.)

Nonprofit - Site Security Patrol Are after hours checks made of facility access points by employees, volunteers, or members? (If not, explain.) Is the perimeter checked routinely by staff, volunteers, members or security? (If not, explain.) Are the results of the patrol documented in a daily security log? (If not, explain.)

Nonprofit - Site Access Control Is there an effective and enforced badge and identification system? (If not, explain.) Is visitor control and inspection evident at the entrance? (If not, explain.) Are passes or decals used to identify authorized vehicles? (If not, explain.) Do sensors such as magnetic switches protect all portals, personnel doors, cargo doors, windows, skylights, roof, hatches, and gates? (If not, explain.) Are access control devices used to gain entry to the site? (If not, explain.) Do the most sensitive areas require multiple identification methods for access, such as PIN numbers and a biometric measurement? (If so, explain.) Where do delivery trucks park? (Attach a map.) Is access to stairs and elevators separated from public, and employee use? (If not, explain.) How do entry lobbies or foyers protect critical assets behind it? (If they do, explain.) How are access paths monitored? (If not, explain.) How is roof access limited to authorized personnel? (If not, explain.) Where are critical assets (people, activities, systems, components, etc.) located in the facility?

Nonprofit Security Grant Program … Page - 8 3 March 2016 (Explain.) Are there procedures in place to identify and verify disabled vehicles, personnel, etc. in close proximity to the perimeter or critical assets? (If not, explain.) What are the access control systems in place? (fences, gates, digital card readers) Are access control systems connected to a security computer network? (If not, explain.) What type of interior detection systems are on site, what do they protect? (Explain)

Nonprofit Site - Operation Security (OPSEC) Are there procedures for reporting suspicious personnel or activities? (If not, explain.)

Nonprofit Site - Visitor Control Are visitors required to sign in or check in with security or the front office? (If not, explain.) Are visitors issued visitor badges that identify them as visitors? (If not, explain.) Are visitors required to be escorted around the site? (If not, explain.) Are visiting vehicles restricted to an area away from any assets in what could become a blast zone? (If not, explain.) Are visitors canalized to the areas or building they have business? (If not, explain.)

Nonprofit Site - Communications plan How does the nonprofit organization communicate with employees, volunteers and members daily? (Explain) How would the nonprofit organization communicate with employees, volunteers and members during an emergency? (Explain) Does the facility have direct communications channels with local law enforcement and fire? If so, please describe & if not, describe how law enforcement and fire would be contacted in the event of an emergency.

Nonprofit Security Grant Program … Page - 9 3 March 2016 Nonprofit Site - Vulnerability Assessment Attachments List any photographs, maps, diagrams or other attachments.

Nonprofit Security Grant Program … Page - 10 3 March 2016